Update: A Microsoft spokesperson has since issued the following statement:

“MMPC has protections to remove the services started by the Sefnit malware, but it does not uninstall Tor, remove any Tor binaries, or prevent users from using Tor.”

Last week, Microsoft took to their Threat Research & Response Blog to talk about the takedown of the Sefnit botnet. One of the revelations was that the company uninstalled Tor clients from computers as part of the clean-up.

Sounds like cause for alarm, right? If what transpired here was Microsoft flipping the kill switch on an application without a user’s consent, then yes. But that’s not how it went down, and it’s not as though Microsoft was uninstalling Tor clients that people had willingly downloaded onto their machines.

Sefnit pulls down Tor as part of its payload once a machine has been infected. It’s then used to obfuscate communications between the infected computer and the Sefnit C&C infrastructure. To ensure that a machine was completely clean, Microsoft and their collaborators decided that Tor had to go.

They were thinking about more than just individual computers, too. The 4 million-plus Sefnit-infected systems put a great deal of strain on the Tor network at the height of its infection. Disabling the service and removing the app from those machines helped lighten the load.

It’s possible that there was some collateral damage here. Some of the machines that were liberated from Sefnit’s clutches may indeed have had Tor installed willingly by their owners.

Microsoft did take steps to ensure that they didn’t overreach. They checked directly with Tor developers to find out if it’s possible that a normal user would set Tor up the way Sefnit did. They were told that was highly unlikely.

To clean infected machines, Microsoft began updating definitions for its antimalware apps. Normally they consider Tor to be a safe application, so the definitions specifically targeted the strange Sefnit setup.

In three months they removed Sefnit and Tor from around two million computers. The job’s only about half done, likely because those systems are running other antimwalware software.

Microsoft has passed the details along to the 16 other members of the Virus Information Alliance, so hopefully the cleanup will be completed soon and it’ll be business as usual for Tor once more.